This specification relates to network security.
A network is a system of computer assets in data communication. Many networks are private networks, e.g., a particular network may be an internet protocol based network that is logically independent from other internet protocol based networks. An enterprise network of a company that is connected to the Internet through a router and firewall is one such example of a private network.
One or more security provisioning systems can be used to protect each network from attacks by malicious software and users. For example, network security systems includes network sensors that are deployed on the edge of a protected network or within the network, and one or more network security servers in data communication with the network sensors. The sensors monitor the actions of assets that are attempting to gain access to the network or that have been granted access to the network and report actions taken by the assets to network security servers. The sensors can take actions with respect to an asset immediately, or can take actions with respect to the asset as determined by the network security server(s), depending upon a number of security related factors.
The network security server(s) process the data reporting the monitored actions of assets and determine, based on the monitored actions, whether particular assets are a security risk, e.g., infected with a virus or under control of a malicious agent, such as a bot. One technique for determining whether an asset is a security risk is to assign weights to a list of predefined activities that are to be monitored for each asset. If an asset is observed performing the activity (e.g., a heuristic that is to be monitored), then the weight associated with the activity is attributed to the asset. The weights that are then attributed to the asset from the observed activities are then processed to determine whether the asset is a security risk. For example, the weights may be aggregated, averaged, or processed according to some other function to determine a value that is compared to a risk threshold. If the value exceeds the risk threshold, then the asset is determined to be a security risk.
Such detection processes, however, are susceptible to false positive or false negative detections. In particular, each of the heuristics or activities is not a heuristic or activity that is solely associated with malicious agents. In fact, many of the activities may be performed as a result of a legitimate process. For example, one common activity that is often monitored is a connection attempt to an invalid address, e.g., an invalid Internet Protocol (IP) address and port number combination. The activity may be the result of the legitimate process, e.g., a request for a software update from a trusted provider when the trusted provider's server is down, or the trusted provider has moved the software update service to a different host. Likewise, the activity may be the result of a malicious process, e.g., a bot that has overtaken the computer and is scanning a network for services to exploit. In both cases, the weights associated with the activity contribute equally to the determination of whether an asset is a security risk. However, in the case of the former, the asset presents no security risk; conversely, in the case the latter, the asset presents a significant security risk. Thus, for a relatively high number of monitored occurrences of the action in the former case, the security system may incorrectly identify the asset as a security risk. Conversely, for relatively low number of monitored occurrences of the action in the latter case, the security system may incorrectly determine that the asset is not a security risk.